Snort mailing list archives

Re: byte_test/byte_jump negative offsets

From: Nick Randolph <drandolph () sourcefire com>
Date: Mon, 22 Dec 2014 13:50:25 -0500

You want -8. The cursor is at the end of the content match. -4 only moves
the cursor to the beginning of "tEXt".

On Thu, Dec 18, 2014 at 3:11 AM, Praveen D <praveend.hac () gmail com> wrote:


Hi,

Below is the data which I am trying to detect
1c 0c 00 00 *74 45 58 74* 41 41 41 41 41 41 41 41   ....*tEXt*AAAAAAAA

content:"tEXt"; byte_test:4,>,0x3000,*-4*,relative;
Extract 0x1c0c0000 and compare with 0x3000

After matching tEXt, where does the pointer pointed to? Should I use
offset:-4 or offset:-8?

Best Regards,
Praveen Darshanam


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE

http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph () sourcefire com
Sourcefire.com <http://www.sourcefire.com/>

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

byte_test/byte_jump negative offsets Praveen D (Dec 18)
- Re: byte_test/byte_jump negative offsets Nick Randolph (Dec 22)
  - Re: byte_test/byte_jump negative offsets Praveen D (Dec 22)